Getting Data In

Is _time in UTC or local time?

jdunlea
Contributor

The documentation says the following:

"Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk Enterprise renders the search results (the very last step of search time event processing)."

Does this mean that when I view _time using (for example) | stats count by _raw _time
that the values for the _time field are actually the number of seconds that have passed since Jan 1st 1970 in UTC or in local time?

Tags (3)
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

mendesjo
Path Finder

Yes but how do you display your query in local time? In stead of UTC?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Do you want to set the time(zone) in the query or are you referring to how the results are displayed?

0 Karma

mendesjo
Path Finder

Results displayed.. Meaning when I query Splunk, first colum that says time is in UTC format. I want that to display in local time. Thanks

0 Karma

GDustin
Path Finder

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

I don't care what timezone it is[Yes, I very much do care] but I just want it displayed in Splunk; I am constantly reviewing my account settings and having to sensitize users to review their their Account Setting>Time Zone for situational awareness. ISO standard is where no timezone then UTC-0 is assumed not the case in Splunk GUI; no timezone=Any host of settings; what ever is in the user's "Account Setting>Time Zone"; Splunk ingestion; no timezone=assumed UTC-0 - I want even playing field where Splunk eats it's dog food in the GUI with _time display.

0 Karma

JoshMc
Loves-to-Learn

@GDustin wrote:

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc


When using the Splunk UI (in a browser), then "local time" means that of the computer you're using. 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...